Presentation is loading. Please wait.

Presentation is loading. Please wait.

ArubaOS-Switch Tunneled Node

Published by程 凌 Modified over 8 years ago

Similar presentations

Presentation on theme: "ArubaOS-Switch Tunneled Node"— Presentation transcript:

1 ArubaOS-Switch Tunneled Node
Justin Noonan – Global TME Ruben Iglesias – Global TME July 2016

2 Introduction

3 What is Tunneled Node? Tunneled Node Per-port tunnel GRE
Extends the AP-controller tunneling scheme to the access switches Per-port tunnel A single GRE tunnel transports all traffic to/from “tunneled” interfaces Traffic from other interfaces is forwarded normally by the switch Management and control traffic is NOT tunneled GRE Policy enforcement Tunneled-node can be applied up to 120 physical ports. Products 5400R switch series with v2 and v3 modules 3810 switch series 3800 switch series 2930F switch series 2920 switch series

4 Use case: Unified Policy Enforcement
WWW WAN / VPNs ClearPass Policy Manager 3rd Party Directory Svc Local controller Policy enforcement (CPPM, Skype for Business, etc.) Guest mgmt Device profiling Core Switch (VSF/IRF) 3rd party MDM Skype for Business (Lync Edge server) SDN/API WLAN Tunnel Wired LAN Tunnel LAN

5 Tunneled Node Testing

6 Generic layout Mobility controllers: Aruba 72xx / 70xx Core switch:
Tunnel Core switch: 5400R / 10500 Access switches: 3810, etc.

7 Tested layer 2 layout Intranet / Internet 10500 3810 MAS 3500
LAG1 TRK1 2/4/0/2 0/0/0 7010 MC (DHCP Server for VLAN 200) 0/0/2 1/4/0/2 R V10 Def V200 Tunnel

8 Tested routed layout Intranet / Internet Core switch: 10500 3810
MAS 3500 LAG1 TRK1 2/4/0/2 0/0/0 7010 MC (DHCP Server for VLAN 200) 0/0/2 1/4/0/2 R V10 Def V200 V11 Tunnel

9 Tested filtered layout
acl number 3001 rule 20 permit icmp rule 50 permit gre rule 51 permit tcp destination-port eq 8080 rule 52 permit tcp destination-port eq www rule 53 permit tcp destination-port eq 4343 rule 54 permit udp destination-port eq tftp rule 55 permit udp destination-port eq 21 rule 56 permit udp destination-port eq syslog rule 57 permit udp destination-port eq 443 rule 58 permit udp destination-port eq 22 rule 59 permit udp destination-port eq 23 rule 60 permit udp destination-port eq 8211 rule 100 deny ip Tested filtered layout interface GigabitEthernet1/4/0/2 port link-mode bridge port link-type trunk port trunk permit vlan packet-filter 3001 outbound Intranet / Internet 10500 3810 MAS 3500 LAG1 TRK1 2/4/0/2 0/0/0 7010 MC 0/0/2 1/4/0/2 R V10 Def V200 V11 Tunnel Port 8211 is the PAPI (Aruba Proprietary) protocol – For more information go to Tunneled-Node uses ports 50 (GRE) and 8211 (PAPI)

10 Tunneled Node and NAT: Not Supported
DC Router Tunneled note Public IPs Mobility controllers Private IPs

11 Remote Tunneled Node Remote controller: not recommended
NAT NAT Router Router Mobility controllers Tunneled note Private IPs Private IPs Use local controller for tunneled node NAT NAT Router Router Local controller Mobility controllers Tunneled node Private IPs Private IPs

12 Tunneled Node Configuration

13 Tunneled Node Configuration – Switch Configuration Steps
Step 1: Setup Tunneled-Node-Server IP address (Aruba Mobility Controller) Aruba-Stack-3810M(config)# tunneled-node-server controller-ip Optional: Setup Backup Controller IP Aruba-Stack-3810M(config)# tunneled-node-server backup-controller-ip Optional: Set Tunneled-Node Keepalive timer – Set time interval between keepalive messages (Default = 8) Aruba-Stack-3810M(config)# tunneled-node-server keepalive interval <1-8> Configure the time interval between two successive keepalive messages sent to the controller. Step 2: Enable Tunneled-Node on interface Aruba-Stack-3810M(config)# interface 1/23 Aruba-Stack-3810M(eth-1/23)# tunneled-node-server Step 3: Check to see if Tunneled-Node is complete Aruba-Stack-3810M(config)# show tunneled-node-server state Tunneled Node Port State Active Controller IP Address : Port State 2/23 Complete

14 Tunneled Node Configuration – Statistic View
Aruba-Stack-3810M(config)# show tunneled-node-server statistics Tunneled Node Statistics Port : 2/23 Control Plane Statistics Bootstrap packets sent : 1 Bootstrap packets received : 1 Bootstrap packets invalid : 0 Tunnel Statistics Rx Packets : 302 Tx Packets : 0 Rx 5 Minute Weighted Average Rate (Pkts/sec) : 0 Tx 5 Minute Weighted Average Rate (Pkts/sec) : 0 Aggregate Statistics Heartbeat packets sent : Heartbeat packets received : Heartbeat packets invalid : 0 Fragmented Packets Dropped (Rx) : 0 Packets to Non-Existent Tunnel : 0 MTU Violation Drop : 0

15 Tunneled Node Configuration – 3810M switch
ip route tunneled node-server controller-ip exit interface 1/21 interface 1/23 interface 1/24 vlan 11 name "VLAN11" untagged Trk1 ip address exit vlan 200 name "VLAN200" untagged 1/21,1/23-1/24 tagged 1/1,Trk1 no ip address ip helper-address jumbo Note: The Mobility Access Switch will establish a single GRE tunnel between it and a Mobility Controller for Tunneled Node operation. However from the perspective of the Mobility Controller, each Tunneled Node port from a single switch/stack will appear as an individual tunnel and consume tunnel resources as such.

16 Tunneled Node Configuration - MAS 3500 switch
! interface vlan "11" ip address ip-profile default-gateway interface-profile switching-profile "10500 link" access-vlan 11 native-vlan 10 trunk allowed vlan 10 interface-profile switching-profile "TunneledPorts" access-vlan 200 native-vlan 200 trunk allowed vlan 200 interface-profile tunneled node-profile "default" controller-ip ! interface gigabitethernet "0/0/0" switching-profile "10500 link" interface gigabitethernet "0/0/23" tunneled node-profile "default" switching-profile "TunneledPorts" interface gigabitethernet "0/0/24" interface gigabitethernet "0/0/25" switching-profile "TunneledPorts“

17 Tunneled Node Status – Aruba Mobility Controller
Note: Tunnel is automatically created when Tunneled-Node is enabled on switch interface

18 Tunneled Node Configuration – Mobility Controller
1 2 3

19 ClearPass Authentication – Controller Wired Access Profile
Example Controller AAA config : aaa rfc-3576-server " " ! aaa authentication mac "default" aaa authentication dot1x "default" aaa authentication dot1x "NewDot1x" aaa authentication-server radius " " host " " key 6b63f476e437838c6a4ac563e07cd8a5e14166fd391049c5 nas-identifier " " nas-ip aaa server-group "CPPM" auth-server aaa server-group "default" auth-server Internal set role condition role value-of aaa profile "CPPM-dot1x" authentication-dot1x "NewDot1x" dot1x-server-group "CPPM" rfc-3576-server " " aaa profile "default" aaa authentication captive-portal "default" aaa authentication wispr "default" aaa authentication vpn "default" aaa authentication vpn "default-rap" aaa authentication mgmt aaa authentication stateful-ntlm "default" aaa authentication stateful-kerberos "default" aaa authentication stateful-dot1x aaa authentication wired profile "CPPM-dot1x" Ensure that the Wired Access profile in the Aruba Mobility Controller is configured correctly and enabled. This allows the controller to handle authentication when a client is plugged into a tunneled-node port on the switch CLI example: aaa authentication wired profile "CPPM-dot1x"

20 ClearPass Authentication – Client View
Windows Client is plugged into tunneled-node port Enter proper user credentials into 802.1x authentication settings Client will authenticate and receive IP address

21 ClearPass Authentication – Access Tracker
Client user access can be monitored from the Access Tracker in ClearPass. Shows what source the user is authenticating with (i.e. RADIUS), which ClearPass service profile is being used, and whether the login was accepted or rejected.

22 Tunneled Node Frame Details
When a port is configured for tunneled- node, ingress packets are encapsulated in an IP GRE frame which is then forwarded to the controller A unique GRE Key is needed – 1 to 1 Mapping: For the controller to uniquely identify GRE packet source port For the switch to send de-capsulated packet to particular port

23 What happens if? AP is plugged into Tunneled-Node port
3810 MAS S3500 Behavior: Tunnel in a tunnel Can cause a network performance issue Not an ideal scenario

24 Tunneled Node – Does not work with…
Globally IP Multicast Routing Openflow QinQ Distributed Trunking Switch Meshing VXLAN Per VLAN IP addressing – manual & DHCP DHCP Snooping (IPv4/6) ARP Protect Per Port 802.1x/MAC Auth/Web Auth/LMA/Port Sec RA Guard MACSec DIPLD (IPv4/6) Port Trunking

25 Tunneled Node – Best Practices
Recommendations: Avoid plugging access points into wired tunneled-node ports. This creates a “tunnel within a tunnel”, which can impact performance. Instead, set aside physical ports to use solely for access points and wired tunneled node ports (i.e. one block of ports for AP’s, one for wired tunneled node ports). Ensure that the wireless controller can handle the necessary bandwidth and number of tunnels (Max physical ports that can be used as tunnels is 120). Ensure that the Tunneled-Node VLAN is present and enabled on both the controller and switch. Ensure that enough licenses are on the controller to handle the tunneled-node ports within the network (1 switch with Tunneled-Node ports enabled = 1 license on controller) AP Ports Tunneled-Node Ports

26 Thank you

Download ppt "ArubaOS-Switch Tunneled Node"

Similar presentations

Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Course 301 – Secured Network Deployment and IPSec VPN

Course 301 – Secured Network Deployment and IPSec VPN
WiNG 5.3.

WiNG 5.3.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
DrayTek VPN Solution. Outline What is VPN What does VPN Do Supported VPN Protocol How Many Tunnels does Vigor Support VPN Application Special VPN Application.

DrayTek VPN Solution. Outline What is VPN What does VPN Do Supported VPN Protocol How Many Tunnels does Vigor Support VPN Application Special VPN Application.
Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.

Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Module 3: Planning and Troubleshooting Routing and Switching.

Module 3: Planning and Troubleshooting Routing and Switching.
Objectives Configure routing in Windows Server 2008 Configure Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Network Address Translation 1.
Altai Certification Training Backend Network Planning

Altai Certification Training Backend Network Planning
Network Admin Course Plan Accede Institute Of Science & Technology.

Network Admin Course Plan Accede Institute Of Science & Technology.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 NGWC – Central Webauth (CWA) using ISE 3850 and 5760 Viten Patel – RTP Wireless.

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 NGWC – Central Webauth (CWA) using ISE 3850 and 5760 Viten Patel – RTP Wireless.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

Similar presentations

Ads by Google